Chap 9 - putting it together Flashcards
what is governance
align or link the organizations’ overall goals and objectives to the lower-level security and asset protection goals and objectives that security professionals help establish, operate and maintain
what are policies
mandatory
are formally prepared, authoritatively issued directions or statements of intent that senior leadership provides to the organization
to be effective as directive, it must be explicitly linked to an enforcement mechanism
what are procedures
mandatory
define the explicit, repeatable activities necessary to accomplish a specific task or set of task
what are guidelines
non-mandatory
act as advisory information and can offer insights drawn from experience and observation
what are standards
mandatory
cover a broad range of issues and ideas (NIST, ISO)
what is the breadth and depth in administrative controls (steps)
- Policies
- standards
- guidelines
- procedures
what is COBIT framework
way to manage and document enterprise IT and IT security functions
what is ITIL
IT service set of best practices
what is a security framework
establish a starting set of security requirements or data protection drivers for the workflow as a whole. the framework also establish the success criteria used to assess the in-use system and its controls for compliance and security assessment purposes
what is a risk framework (ERM)
similar to security control frameworks, the security professional may also make use of dedicated risk management frameworks to optimize the organization’s response to risk
role of forensic investigation tools
the tools of digital forensics are put into action moments after an incident or malfunction has been detected. these tools and processes are used to gather data, some of which may be used as evidence in a more formal investigation
how to maintain integrity of an investigation
- respect ethical walls
- non-disclosure
- evidence handling
- respect rights of individuals and other parties
- communication with outside persons conducted through appropriate channels
what are key steps in digital forensic investigation
- appoint an evidence custodian
- maintain a chain of custody
- use backups
- make copies of all original evidence
maintain the chain of evidence
what are admissible evidence in court
admissibility: evidence that is acceptable to the court may be presented. must be:
- accurate
- comprehensible
- objective
what are the 4 types of investigation
- administrative (internal)
- civil
- regulatory
- criminal
what is a business impact analysis (BIA)
the BIA is the effort to determine the value of each asset belonging to the organization, as well as the potential risk of losing assets, the threat likely to affect the organization
BIA provides the foundation to determine the overall scope and extent of the BCDR plans
3 key control parameters for BCDR
- maximum allowable downtime (MAD) = amount of downtime without causing significant/unacceptable harm to organization
- recovery time objective (RTO) = target time for recovery (less then MAD). BCDR strategy and plans must support achieving the desired RTO
- recovery point objective (RPO) = amount of data the organization can lose before unacceptable harm caused to organization. RPO is usually a storage amount (refer to data loss)
what are the key parameters must establish for response activation
- criteria for initiating the response action
- personnel authorized to initiate BCDR action
- information chain to provide the decision making authority with sufficient data
what are the key participants in response team
- responders
- IT
- security
- legal
- human resources
- finance/accounting
- public relations/communications
- senior management / leadership
why is assessment of loss critical
- criminal prosecution -> determine the damage
- civil actions -> determine the damage
- investors reporting
- informing regulators
how can human factor of risk be limited
candidate screening & hiring process
1. detailed & reliable job description
2. checking candidate references
3. checking employment history
4. performing a background check
5. assessing a financial profile
3 main employment agreements & policies
- employee handbook
- employee contract
- NDA
what are the various types of NDAs
- unilateral NDA
- bilateral NDA
- multilateral NDA
- non-compete agreement
what are the main consideration when engaging vendor, consultant, contractors etc.
- contractual protections
- NDA and NCA
- distinct restricted account
- escort requirement
- distinguishing ID
what are the categories of NIST Cyber Security Framework
- identify
- protect
- detect
- respond
- recover
what are the 4 perspective to define “what is at risk”
- asset-based
- outcome-based and process-based
- vulnerability-based
- threat-based
what is “Risk”
a possible event which can have a negative impact upon the organization
what is hazard
a precondition of a system, workplace, environment that could cause a risk
what is a vulnerability
an inherent weakness or flaw in a system or component
what is a threat
human actor or group that makes the deliberate decision to exploit a vulnerability to cause harm
what are the four choice when confronted to risk
- mitigate
- avoid
- transfer
- accept
what can risk be mitigated
- remediation measures
- risk controls or security controls implemented
even after all measures implemented there is still a “RESIDUAL RISK”
what is risk avoidance
cease operating some activities of the organization that are exposed to particular risk
what is risk transfer
practice of paying another party to accept the risk (e.g., insurance)
what is risk acceptance
it is the opposite of avoidance. decide to conduct activities despite the risk, because the impact or likelihood is negligible
what are the 3 meanings of risk exposure
- exposure window measures over time the likelihood or probability of occurance of a risk event
- risk exposure factor (EF) is an estimated fraction of an asset’s or outcome value to the organization that is reduced y a single occurrence of a risk event
- exposure estimation is a description of how certain risks are categorically much lower or higher than others for given organization
what are both type of risk assessment
- qualitative = giving relative ranking (e.g., High, low)
- quantitative = numeric value to probability & impact
when to use qualitative assessment
- newness
- uniqueness
- time limitation
- no reliable measuring method
when to use a quantitative approach
- business process
- measurement techniques - precise and reliable
- experience with process and data quantity
risk assessment method (math)
annual loss expectancy (ALE) = SLE x ARO
ARO = annual rate occurrence = number of times given impact is expected to happen
SLE = Single Loss Expectancy = expected impact related to risk
SLE = AV x EF
AV = asset value
EF = exposure factor = fraction from 0-1 that represent the amount of damage to the asset (0 no damage / 1 fully damage)
what are the elements of STRIDE (threat modeling)
- spoofing ID
- tampering with data
- repudiation
- information disclosure
- DoS
- elevation of privilege
what are the 3 applicable types of controls
- administrative
- logical/technological
- physical
what are the categories of security controls
- directive / administrative
- deterrent
- preventive
- compensating
- detective
- corrective
- recovery
what are the various technics to present awareness & training
- computing-based training (CBT)
- live in-person training
- online synchronous training
- regular communications
- reward mechanism
- gamification
What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost/benefit analysis.
Conduct a cost/benefit analysis.
The final step of a quantitative risk analysis is conducting a cost/benefit analysis to determine whether the organization should implement proposed countermeasure(s).
Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?
Combination of quantitative and qualitative risk assessment
Which one of the following actions might be taken as part of a business continuity plan?
A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations
B. Implementing RAID
RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action.
Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.
Which one of the following is not normally included in business continuity plan documentation?
A. Statement of accounts
B. Statement of importance
C. Statement of priorities
D. Statement of organizational responsibility
A. Statement of accounts
Business continuity plan documentation normally includes
the continuity planning goals,
a statement of importance,
statement of priorities,
statement of organizational responsibility,
statement of urgency and timing,
risk assessment & risk acceptance & mitigation docs,
a vital records program, emergency response guidelines,
and documentation for maintaining and testing the plan.
Which one of the following is not normally considered a business continuity task?
A. Business impact assessment
B. Emergency response guidelines
C. Electronic vaulting
D. Vital records program
C. Electronic vaulting
Electronic vaulting is a data backup task that is part of disaster recovery, not business continuity, efforts.
Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?
A. Structured analysis of the organization
B. Review of the legal and regulatory landscape
C. Creation of a BCP team
D. Documentation of the plan
D. Documentation of the plan
The project scope and planning phase includes four actions:
1. a structured analysis of the organization,
2. the creation of a BCP team,
3. an assessment of available resources,
4. an analysis of the legal and regulatory landscape.
Which one of the following stakeholders is not typically included on a business continuity planning team?
A. Core business function leaders
B. Information technology staff
C. CEO
D. Support departments
CEO
While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally
COBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management role is most likely to select and apply COBIT to balance the need for security controls against business requirements?
A. Business owners
B. Data processors
C. Data owners
D. Data stewards
A. Business owners
Business owners have to balance the need to provide value with regulatory, security, and other requirements. This makes the adoption of a common framework like COBIT attractive.
Harold is assessing the susceptibility of his environment to hardware failures and would like to identify the expected lifetime of a piece of hardware. What measure should he use for this?
MTTF
The mean time to failure (MTTF) provides the average amount of time before a device of that particular specification fails.
Ben’s development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue?
A. Auditing and logging is enabled.
B. RBAC is used for specific operations.
C. Data type and format checks are enabled.
D. User input is tested against a whitelist.
B. RBAC is used for specific operations.
Using role-based access controls (RBACs) for specific operations will help to ensure that users cannot perform actions that they should not be able to.
Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?
A. Information disclosure
B. Denial of service
C. Tampering
D. Repudiation
D. Repudiation
Since a shared symmetric key could be used by any of the servers, transaction identification problems caused by a shared key are likely to involve a repudiation issue.
